Lots of teams get thrashed trying to fix or bring down the count of CVEs so they can ship, so chainguard provide images with a guarantee of 0 CVEs. It saves folks a lot of time patching to bring down the count. However its a novel situation as most of the time these vulnerabilities are not even reachable in the first place, they are just noise. So its a solution more appeaseing to security theatre, than a real world threat. Once in a while a nasty thing comes along like log4shell, heartbleed, but most of its just noise. They do cut down image size significantly though, which is something I personally like and has value for saving ingress costs. Think Alpine.
Chainguard is proof that modern CI/CD is still a luxury product for most of the industry. They have a fantastic amount of automation behind image production, including some tools they rolled themselves (like apko).
Disclosure: I am friends with / have worked with some Chainguard folks.
Declarative image builds, nightly rebuilds of the whole ecosystem, and they bake the SBOM into the images. It is a really good offering. It's a shame we had to use the competing offering from RedHat for contractual reasons.
I work at Chainguard, hoping this helps answer your question. Chainguard has free and paid images. You can find all the free images in the Chainguard Images Directory: https://images.chainguard.dev/directory?category=all
I was expecting an answer to my question to then build myself an answer to his original question. I was trying to showcase what Chianguard Images are in a nutshell. But you are right: overly complicated.
What images do you usually use and where do you pull them from? ;-)
